First published: Mon May 16 2022(Updated: )
A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Credit: security@vmware.com security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <0:2.387.3.1684911776-3.el8 | 0:2.387.3.1684911776-3.el8 |
redhat/spring-security | <5.5.7 | 5.5.7 |
redhat/spring-security | <5.6.4 | 5.6.4 |
redhat/spring-security | <5.7.0 | 5.7.0 |
Vmware Spring Security | <5.5.7 | |
Vmware Spring Security | >=5.6.0<5.6.4 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Vmware Vsphere | ||
Netapp Active Iq Unified Manager Windows | ||
maven/org.springframework.security:spring-security-core | <5.4.11 | 5.4.11 |
maven/org.springframework.security:spring-security-core | >=5.5.0<5.5.7 | 5.5.7 |
maven/org.springframework.security:spring-security-core | >=5.6.0<5.6.4 | 5.6.4 |
maven/org.springframework.security:spring-security-web | <5.4.11 | 5.4.11 |
maven/org.springframework.security:spring-security-web | >=5.6.0<5.6.4 | 5.6.4 |
maven/org.springframework.security:spring-security-web | >=5.5.0<5.5.7 | 5.5.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-22978 is a vulnerability found in Spring Security that can be easily misconfigured to be bypassed on some servlet containers.
CVE-2022-22978 has a severity rating of 9.8 (Critical).
CVE-2022-22978 affects Spring Security versions prior to 5.4.11+, 5.5.7+, 5.6.4+ and older unsupported versions.
CVE-2022-22978 can be exploited by misconfiguring RegexRequestMatcher with `.` in the regular expression.
To fix CVE-2022-22978, update to Spring Security version 5.4.11+, 5.5.7+, 5.6.4+, or a later supported version.